If you are used to masquerading on a Linux 2.2 box, you always used the
ip_masq_icq module in order to get direct client-to-client ICQ working.

Nobody re-implemented this module for netfilter, because the ICQ protocol
is too ugly :) But I guess it's just a matter of time until one is available.

Rusty once pointed out that only modules for protocols with at least one
free client and one free server are going to get integrated into the main
netfilter distribution. As for ICQ, there are only free clients, so it
doesn't match this criteria. (free as in freedom, not in free beer, i.e.
RMS' definition)

Some of them are not required, and some haven't been ported to
netfilter yet. Netfilter does full connection tracking even for UDP,
and has a policy of trying to disturb the packets at little as
possible, so sometimes things `just work'.

The 2.4.x kernels is a stable release, so we can't just submit our
current development into the mainstream kernel. All our code is
developed and tested in netfilter patch-o-matic first. If you
want to use any of the bleeding-edge netfilter functions, you may have
to apply one or more of the patches from patch-o-matic. You can find
patch-o-matic in the latest iptables package (or of course SVN), to be
downloaded from the netfilter homepage.

patch-o-matic now has three different options:

make pending-patches

make most-of-pom

make patch-o-matic

The first one is just to make sure all important bugfixes (which have
been submitted to the kernel maintainers anyway) are applied to your kernel.
The second `most-of-pom` additionally prompts you for all new features which
can be applied without conflict. The third option `patch-o-matic` is for
real experts who want to see all the patches - but be aware, they might
conflict which each other.

patch-o-matic has a neat user interface. Just enter

make most-of-pom (or pending-patches or patch-o-matic, see above)

or, if your kernel tree is not in /usr/src/linux then use

make KERNEL_DIR={your-kernel-dir} most-of-pom

in the top directory of the iptables-package. patch-o-matic checks
for each of the patches if it would apply against the kernel source
you have installed. If a patch would apply, you will see a little
prompt, where you can ask for more information about this patch, apply
the patch, skip to the next one, ...

ipnatctl was used to set up your NAT rules from userspace in a very
early development revision of netfilter during the 2.3.x kernels.
It is no longer needed, thus no longer available. All of its
functionality is provided by iptables itself. Have a look at the
NAT HOWTO on the Netfilter homepage.

An implementation of conntrack and NAT for the SIP (Session Initiation
Protocol) has been in the patch-o-matic for some time now implemented by
Christian Hentschel. The implementation is available since Linux Kernel 2.6.18.